Requesting an X.509 certificate from a third-party certificate authority

To secure communications between clients and the SafeLinx Server, you must obtain an X.509 certificate and add it to a key file database on the SafeLinx Server. In production environments, purchase an X.509 certificate from a third-party certificate authority (CA) and use the IBM® Key Management tool to submit a certificate signing request (CSR) to the CA.

About this task

Use the Key Management tool to generate a certificate request any time that you need a new certificate. A certificate request is required to obtain a certificate for the first time or to replace an existing certificate. The Key Management tool is installed automatically when you install the SafeLinx Server or the SafeLinx Administrator. Before you can obtain a new signed certificate, you must purchase the certificate from a CA. It can take two to three weeks to get a certificate from a well-known CA. While you wait for a certificate to be issued, you can create a self-signed server certificate to enable TLS sessions. For more information, see Creating a self-signed certificate.

Complete the following task to generate a certificate request.

Procedure

  1. From the SafeLinx Server, open the IBM® Key Management tool.
    • From Windows, log in as an administrator, and then click Start > All Programs > HCL SafeLinx > Key management.
    • From Linux, log in as root, and from a command line, type 
      wg_ikeyman
  2. If you do not want to use a default key database file, create a new one. For more information, see Creating a key database file.
    For your convenience, the SafeLinx Server includes a default key database that includes several sample signer certificates. Each of the default signer certificates has an expiration date. If you decide to use the default key database, verify the expiration dates of the certificates and replace certificates that are no longer valid. When you purchase a signed certificate from a CA, the CA provides the most recent version of its signer certificate.
  3. Open the key database file.
    1. Click Key Database File > Open.
    2. In the Key database type field, click CMS.
    3. Click Browse, select the key database file, click Open, and then click OK.
      For example, to open the default HTTP access services key database, browse to the SafeLinx Server installation directory, and select http.trusted.kdb.
      For information about the default key database files that are included with the Connection Manager, see Securing communications between the SafeLinx Server and other nodes.
    4. When prompted, type the password for the key database. Passwords are case-sensitive. By default, the password for the default key database is trusted.
  4. Click Create > New Certificate Request.
  5. In the Create New Key and Certificate Request dialog box, provide the information that the CA requires to fulfill the request, and click OK.
    At minimum, provide information in the Key Label and Common Name fields.

    Also, be sure to specify the proper key size. Smaller keys are processed quickly, but are less secure. Larger keys provide greater security, but result in slower response times. Although the Key Management tool allows for requests that specify a 1024-bit key size, most certificate authorities do not support key sizes that are less than 2048 bits.

    Some environments use advanced configurations that require certificates that use wildcards, or that can be stored across multiple servers. For information about how to complete CSRs for specific configurations, contact the certificate authority.

  6. Specify a name for the request file and directory where you want to save it.
    For example, /opt/ibm/ConnectionManager/httpcertreq.arm
    By default, certificate requests are saved in the file certreq.arm.
    Note: Be sure to change the default name or location. If you use the default name, you risk overwriting earlier requests that you create from this instance of the Key Management tool.
    A message box notifies you where the certificate request is saved. Be sure to note the directory where the request file was saved.

What to do next

You are now ready to submit the request file through the website of the CA.

Choose a CA and follow the CA's instructions for sending them the completed certificate request.

When you submit the request, notify the CA that the certificate is for use with the IBM® HTTP Server. The CA can then return the signed certificate in a format that is most compatible with the IBM® Key Manager. For best results, request that certificates are returned in PKCS12 (.p12) format.